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SHA I password are in UTF- 1 6LE 



SID for HMAC are also in UTF-I6LE (don't forget 
the \0 !) 



Windows 2000 do not use SHAI/3DES. We think 
it uses SHAI/RC4 (Anyone want to try ?). 
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The documentation state a compatibility 
mode for windows 2000 exist. 




The registry key to trigger it is unknown 




If we are correct and W2k uses RC4 
then the mystery key is possibly a RC4 
key (256bits is the correct size). 




PBKDF2 used to compute the IV ?? 
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Renewed every 3 months automatically 



Passive process: executed when CryptProtect 
called 



Hardcoded limit (location unknown) 



Possibly in psbase.dll (MS crypto provider) 



Can be reduced by using registry override 
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Key escrow attack : Plant a key and update the 
Preferred file every 3 months (e.g using the task 
scheduler) 
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Master keys are re-encrypted when the password 
change 



Experimentally not all of them, just the last few 
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• 



overview 



DecryptCredhist{ 



(USID-ComputerlD-AccountID) 



tmp-key = HMACfsha I , SID) 



pre-key = PBKDF2(decryptKey, 
nblteration) 



3desKey = pre-key[0 - 23] 



3deslV=[24-3l] 



(SHA 



9], HMAC[20-39]) = 3des-cbc 



(3desKey, iv, encKey) 
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LSASS secret contains a DPAPI SYSTEM value 



Length 



2*SHAI 



Usage are unknown 



We think that I of them is used as a SYSTEM 
account "password 



Need to be confirmed 
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Certificate private key is encrypted with DPAPI 



Key are stored in 



To read EFS file offline, we just need to import the 
user certificate and its private keys in our key 
sto re . 



Work in progress in DPAPIck 
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Can we build a rogue crypto provider ? 



What are the two SHAI stored in the LSA ? 



Where is stored the renewal hard lime ? 



CryptDe rive Key needed to be reversed to have a 
fully portable implementation (Everything else is 
already portable) 
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